WIXLIB

RSA SecurID TokensNASA uses RSA SecurID technology to provide secure authentication to its supercomputing resources. To loginto the systems in the NAS secure enclave, all NAS users must have an RSA SecurID token.When you get a new NAS account or need to renew an existing NAS token, you can choose one of two types: Hard token (a small hardware device called a fob) Soft token (a software app installed on your iPhone or Android device)Both types of token generate a pseudo-random number, called a tokencode, at regular intervals. Thetokencode is used in conjunction with a personal identification number (PIN) to authenticate to NAS systems.This article describes each type of token and how to enable it. To learn more about RSA SecurIDtechnology, see the RSA website.Note: If your RSA SecurID token was provided by NAS and you need support, please contact the NAS ControlRoom at (800) 331-8737 or (650) 604-4444. If your token was provided by another NASA center, pleasecontact your local help desk for assistance.Hard Token (Fob): DescriptionThe RSA SecurID fob generates and displays a six-digit token code every 30 seconds. Your PIN is combinedwith the tokencode currently displayed on the device to create a passcode, and the passcode is used toauthenticate into NAS systems. This is known as One Time Password (OTP) technology.For example, a PIN xyy123zzz combined with the tokencode shown below creates a one-time passcode,xy123zzz101568:On the left end of the display, six bars serve as a countdown timer for the currently displayed tokencode.Once the bars are gone, a new random number is displayed and the six bars re-appear to restart thecountdown process.The back side of the fob has three identifiers: Unique serial number Expiration date Manufacturer's batch numberFob CareDo not expose the fob to extreme temperature, pressure, x-rays, or magnetic fields.If your NAS-supplied RSA SecurID fob is damaged or lost, immediately contact the NAS Control Roomat (800) 331-8737 or (650) 604-4444 to request a replacement fob. Replacement may take a few days,depending on postal delivery times. Therefore, to help you access NAS systems while you wait for yournew fob to arrive, the Control Room analyst can issue you a set of 10 temporary passwords (eachusable only once and in combination with your PIN). You may request another set if the initial set is usedbefore your fob arrives.To enable your fob, see "Enabling Your RSA SecurID Hard Token (Fob)" on page 3.1

Soft Token (App): DescriptionThe RSA SecurID soft token app is available for your iOS or Android device.Like the fob, the soft token displays a tokencode every 30 seconds. However, the soft token uses a different,two-step method of associating a PIN with a tokencode. First, you enter your PIN into the app, as shown inthe first screen below. The second screen displays an eight-digit tokencode:This eight-digit tokencode is your entire passcode. Because it is associated with the PIN that was used toobtain it via the soft token, it does not need to be combined with the PIN to log into NAS systems or otheragency systems.Tip: Some agency systems may specify that your passcode is your PIN tokencode. If you have an RSASecurID soft token, disregard this instruction. Enter only the tokencode.To enable your soft token, see "Enabling Your RSA SecurID Soft Token (Mobile App)" on page 5.2

Enabling Your RSA SecurID Hard Token (Fob)Before You Begin: Use this procedure if you have an RSA SecurID Hard Token (fob). If you have a NASprovided soft token (mobile app), see "Enabling Your RSA SecurID Soft Token" on page 5.If you are a new user logging in for the first time, complete Steps 1-3 to enable your RSA SecurID fob, set upa personal identification number (PIN), and change your default NAS password.If you are a current user and you just need to enable a new fob, complete Steps 1 and 2.Note: These steps apply only to the agency-wide RSA SecurID fobs that are provided by the NAS Division atNASA Ames Research Center. If your token was provided by another NASA center, please contact your localhelp desk for assistance.Step 1: Enable Your RSA SecurID FobYour SecurID fob was sent in a disabled state. To enable the fob, call the NAS Control Room at (800)331-8737 or (650) 604-4444. NAS support staff will enable the fob remotely and set it to New PIN Mode. If youare a first-time user, a default NAS password will also be provided to you during the call.Please note that NAS support staff will confirm your identity by asking you the security question you submittedwith your account request form, or by calling you back at your phone number on record.Step 2: Log into an SFE and Set Up a PINBefore You Begin: Your local system must be configured to log in using the Secure Shell (SSH) protocol. Youwill also need your enabled RSA SecurID fob.1. On your local system, open a command-line interface terminal.2. Use SSH to log into an SFE, as follows:your local system% ssh sfeX.nas.nasa.govwhere sfeX is sfe1, sfe2, or sfe3.Note: If you use different usernames on your local system and NAS systems, add your NASusername before specifying the SFE. For example:your local system% ssh zsmith@sfe1.nas.nasa.gov3. At the "Enter PASSCODE" prompt, shown below, type the six-digit tokencode that is displayed onyour RSA SecurID -----------------PAM authenticationEnter PASSCODE:4. Follow the instructions at the next prompt to create a PIN, which must be exactly 8 alphanumericcharacters including both letters and numbers (no special characters). Letters are not ----------------------------PAM authenticationTo continue you must enter a new PIN. Are you ready to enter a new PIN? (y/n)PAM authenticationEnter a new PIN of 8 alphanumeric characters:PAM AuthenticationRe-enter new PIN to confirm:PAM AuthenticationNew PIN accepted, press enter to continue.Note: Memorize your PIN. Never write down your PIN.3

5. Wait for the tokencode displayed on your fob to change. Then, enter your PIN at the prompt, followedimmediately by the tokencode. For example, if your PIN is "d701398z" and your fob displays thetokencode "052993," type d701398z052993 and press -------------------PAM authenticationWait for token to change, and enter PASSCODE: d701398z052993Together, your PIN and your current tokencode comprise your RSA SecurID passcode.The new-PIN process is now complete, although you may not get clear confirmation on your screen.Currently, PINs do not expire, but this may change in the future.WARNING: Never divulge your PIN. NAS staff members will never ask you for your PIN. If you think someonemay have learned your PIN, call the NAS Control Room at (800) 331-8737 or (650) 604-4444.Step 3: Log in Again and Change Your Default NAS PasswordAfter you complete the new-PIN process, the system will prompt you to log in again. If you are a new NASuser, you must complete these steps to change your default NAS password.1. At the "Enter PASSCODE" prompt, enter your RSA SecurID passcode (your PIN followedimmediately by the tokencode displayed on your fob).2. At the next prompt, enter the default NAS password provided to you by NAS support staff.3. Change your default NAS password. (See "Password Creation Rules" on page 7.)Note: If you are not prompted to update your password after logging into the SFE, you can trigger aprompt by logging into a Lou front-end system (LFE) with the command ssh lou. You will beprompted to input your default NAS password, then asked to create and confirm a new password.4. Wait 15 minutes for the new password to propagate to all systems.Tip: Each tokencode displayed on your fob can be used only once. If you have to authenticate twice (forexample, if you mistype your NAS password), you must wait for your fob to display a new tokencode, and thenre-enter the entire passcode (PIN new tokencode).You have now completed your first-time authentication to NAS systems using your NAS password and yourRSA SecurID token. For information about subsequent logins, see the HECC Knowledge Base articleLogging into NAS Systems (requires RSA SecurID or NASA PIV card authentication).4

Enabling Your RSA SecurID Soft Token (Mobile App)Before You Begin: Use this procedure if you have an RSA SecurID Soft Token (mobile app). If you have aNAS-provided hard token (fob), see "Enabling Your RSA SecurID Hard Token" on page 3.If you are a new user logging in for the first time, complete steps 1-3 to enable your RSA SecurID soft token,set up a personal identification number (PIN), and change your default NAS password.If you are a current user and you just need to enable your soft token, complete steps 1 and 2.Note: These steps apply only to the agency-wide RSA SecurID fobs that are provided by the NAS Divisionat NASA Ames Research Center. If your token was provided by another NASA center, please contactyour local help desk for assistance.Step 1: Download the RSA SecurID App and Obtain Token Import URL1. Download the RSA SecurID Software Token app from the Apple App Store or Google Play to youriOS or Android device.2. Open the RSA SecurID app and locate your Binding ID (iOS) or Device ID (Android).3. Select Email Binding ID (iOS) or Email Device ID (Android) and send the email tosupport@nas.nasa.gov.4. Wait for a reply from NAS support staff. You will receive an email containing your RSA SecurID softtoken import URL and instructions for setting it up.Step 2: Enable Your Soft Token and Create Your PINFollow the setup instructions provided in the email you received from NAS support staff. During this processyou will need to switch between your iOS or Android device and a computer with Internet access.First-time users will also need to contact the NAS Control Room to obtain a default NAS password. Pleasenote that NAS support staff will confirm your identity by asking you the security question you submitted withyour account request form or by calling you back at your phone number on record.WARNING: Never divulge your PIN. A NAS staff member will never ask you for your PIN. If you thinksomeone may have learned your PIN, call the NAS Control Room at (800) 331-8737 or (650) 604-4444.Step 3: Log into the Secure Enclave and Change Your Default NAS PasswordIf you are a new NAS user, you must complete the steps in this section to log into NAS systems for the firsttime and change your default password. (If you do not have a default NAS password, contact the NAS ControlRoom at (800) 331-8737 or (650) 604-4444.)Before You Begin: Your local system must be configured to log in using the Secure Shell (SSH) Protocol.1. On your local system, open a command-line interface (CLI) terminal.2. Use SSH to log into a secure front-end system (SFE), as follows:your local system% ssh sfeX.nas.nasa.govwhere sfeX is sfe1, sfe2, or sfe3.Note: If you use different usernames on your local system and NAS systems, add your NASusername before specifying the SFE. For example:your local system% ssh zsmith@sfe1.nas.nasa.gov5